777bb88f0340d9c3be6ce71ca561f7a7e8d0f372cb745d6ccfbe6a18a7fa345c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
Size

3.0MB
MD5

2f0aaee99e8411db8265db84227af6be
SHA1

c7c26070b9e3bc5e0cbdd225ed9c1da43c565482
SHA256

777bb88f0340d9c3be6ce71ca561f7a7e8d0f372cb745d6ccfbe6a18a7fa345c
SHA512

fb1239e27f9531eb7ecaa3a7550eff61889cec37b47ba4e74dc6ca38176a6c377873aab43afd73a99d768021320e76984142d0d38b0713f15b0a8d7bd72f1280
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8b6LNX:sxX7QnxrloE5dpUpDbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
5076	ecxopti.exe
4204	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv3M\\abodsys.exe"	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxFW\\bodxec.exe"	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
4752	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
4752	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
4752	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe
5076	ecxopti.exe
5076	ecxopti.exe
4204	abodsys.exe
4204	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 5076	4752	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	94
PID 4752 wrote to memory of 5076	4752	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	94
PID 4752 wrote to memory of 5076	4752	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	94
PID 4752 wrote to memory of 4204	4752	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	96
PID 4752 wrote to memory of 4204	4752	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	96
PID 4752 wrote to memory of 4204	4752	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\SysDrv3M\abodsys.exe
  C:\SysDrv3M\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxFW\bodxec.exe

Filesize
335KB

MD5
f8d2fbed6d89e6f9aaf8bec3f9c9413e

SHA1
b8f7e86481d7e43e1aea9815a145f9c9007b0881

SHA256
72544fd6cc1eeeb43cff734a811858281c24377027d71872e880ef2b6039b89a

SHA512
50b266cf24fb0a8b417461bda6ac4221c8e7831e7e080615f6cd6cf0b4e739fa7803863fe70feded7bc06735f01c5b99522de5b9d2fa2a4360d87ec829d44640

Download Submit
C:\GalaxFW\bodxec.exe

Filesize
3.0MB

MD5
ad07178b11f0a6230cabd639b51e13ab

SHA1
10f4b4a03ca0b51972d8c183c805e5894960b777

SHA256
720b489721cd5988550497e4bbb676567f4e59ae45d0559d1033d569bf91603e

SHA512
4e94947a290ffd5cfc3fd28126a5bfd796a57680c37b82a548d1affd69398591f1e573da236c78133034586eeec47681d3b59bb0887d1603c2dd54ed612a4355

Download Submit
C:\SysDrv3M\abodsys.exe

Filesize
343KB

MD5
8419b84c266ce5487b83be1e50d2c818

SHA1
30ec0a2812f3c71333235c224e3c47ad1ec305d1

SHA256
e5a409c29f2138ac54d7a69f07fe544102d8001e6f295375347c61e0eb138e6c

SHA512
3e22b76d4cb673b393436dc55435d1463756da7cbcc72c441a767c5d5b342866c0a20e196df70c5389bc95320341b51e6770811f0cd4447a5a2dff2ac094f353

Download Submit
C:\SysDrv3M\abodsys.exe

Filesize
3.0MB

MD5
654f693d7a00736ca6cd57ab511f6075

SHA1
9e6b6fc72d40b1b27fb9bcc6b5ee84584d421a56

SHA256
30c55a096134ae770a9075a8bd6fa2febc0d1d247309d45386c63253852f2041

SHA512
b5d1f44cf62d9daf1e0167ebcad0b76fddb977a05ffe6c878fefc649789835fb3bf8b458d9de7a9dadda9cc85df155e3cfe440114ee41062a88f716d517cbefc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
d25aa8ccde5c8bdf38cfb17e186e1e85

SHA1
693adc8fc8097f899b76be4a25716597510f8343

SHA256
539721a5cb8ff736c7d38bd692b05588d1886c0256882189700adca718589a36

SHA512
f11348362916dec50ce24668410e169aabff6da488f8ab858e0a2c9335487d8eb9dcc5fbbe11771d2648be74a72244337eba8996406f7e1f3b118dcd57d8cdb7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
6b4cf1f28b867c1a345ffd50ed11ca68

SHA1
6058f3e415a7bce481c14b16e11238db37259631

SHA256
5463f10a52e9a4ad5bd2279687edc82bccb9c58e0c8bf9367e98f16d06a4cf0b

SHA512
78397f0cadc4a45f9f4c640094cfe00e9609691afb6ebdcb0940f9a82af2ab159e7c2f76dc245e26f0a2d0243bf5625ef69b00f89106623b5f682fb32416d2b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.0MB

MD5
cd6fa5d9e84e25c1fa4daf675f7613c7

SHA1
68cb4e0a55116f3f0de2565e1e94fcc10a6c8c89

SHA256
f3f9c33c75938458cb1d1968a50c58a3aafd72ad5f8462071a8fe1ed7c6df7cd

SHA512
d9668595aa020a1327032723c727a620b9dabf4656e3dfe456912c1d51cc61f46154ae664ce481e01fe60da3634ca2ba87ac339a698ea538f5c3d190b394ecdc

Download Submit